[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] SuSEfirewall2 SFW2-OUT-ERROR messages

Am Sonntag, 2. September 2007 22:26 schrieb Malte Gell:

> after having some problems to reach some web sites I found some messages
> in /var/log/firewall which all look like this:
> Sep  1 15:54:38 linux kernel: SFW2-OUT-ERROR IN= OUT=dsl0
> SRC=84.172.xxx.xx DST= LEN=52 TOS=0x00 PREC=0x00 TTL=64
> ID=16961 DF PROTO=TCP SPT=29084 DPT=80 WINDOW=1954 RES=0x00 ACK FIN
> URGP=0 OPT (0101080A001FDE00356C0128)
> wich could not be reached is a Shoutcast machine. I
> wonder why SuSEfirewall2 has blocked this.

I doubt that SFW2 blocked the connection to Why?
1. your log entry is just a log entry. See "iptables -nvL OUTPUT", the rule 
causing SFW2-OUT-ERRORs goes to LOG. This is a "non-terminating target" and 
the default policy is ACCEPT. Hence, no block just log.
2. the packet catched by the log entry is ACK FIN. Such packets belong to 
the TCP teardown and will terminate a TCP connection. Thus, the SWF2 just 
blocked a termination, not a connection attempt.

> [...].
> Do you have any idea where this comes from?

For me it looks like iptables assumes that the connection was already closed 
and, thus, has left the ESTABLISHED state. Consequently, the rule in OUTPUT 
chain that catches packets of state NEW,RELATED,ESTABLISHED is not hit. 
Perhaps the entry in the connection tracking table 
(see /proc/net/ip_conntrack) already expired due to a timeout. This makes 
sense, if you actually had problems to reach a destination. After a while 
your computer tries to close the never completely established connection of 
that iptables is no longer aware of.

Sorry, no better explanation available. :-/

The person who knows everything has a lot to learn.
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx